- IDA Pro
- Lab14-03.exe SHA256: a00c3277d9e56864d615441f41d5405216c1130107067094643a268b944b9c71
- Detection Rate: 20/53
- Analyzed on 2016-03-18
Compilation Date: 2011-08-22 05:08:27
- View report here
This lab builds on Lab 14-1. Imagine that this malware is an attempt by
the attacker to improve his techniques. Analyze the malware found in file
1. What hard-coded elements are used in the initial beacon? What elements,
if any, would make a good signature?
From the figure below, we can see hard-coded user-agent and headers (Acccept, Accept-Language, Accept-Encoding, and a unique UA-CPU field). All of these can be used as a signature especially the UA-CPU field. It is also noted that the author pass the string “User-Agent: xxx” into InternetOpenA API call. This results in User-Agent field being set to User-Agent:User-Agent:xxx… A duplicate error in which we can used it to generate a good signature too.
2. What elements of the initial beacon may not be conducive to a longlasting
In the subroutine @0x401457, we can see that the url “http://www.practicalmalwareanalsysis.com/start.htm” is being set as the beacon destination. However that is provided that “c:\\autobat.exe” does not exists, if it exists, the contents will be read and parsed as the beacon destination instead. Using “http://www.practicalmalwareanalsysis.com/start.htm” as a signature might not be a good idea since an attacker might be able to change the beacon destination.
3. How does the malware obtain commands? What example from the
chapter used a similar methodology? What are the advantages of this
The malware scan the response for a <noscript> tag. The text after the tag is the command to execute. The advantage of using this technique is that it is hiding the commands in plain sight that blends in the returned html page. Therefore making detection hard for defender.
4. When the malware receives input, what checks are performed on the
input to determine whether it is a valid command? How does the
attacker hide the list of commands the malware is searching for?
Analyzing subroutine @00401000 & 0x00401684. The checks are as follows
- starts with <noscript>
- url exists after <noscript>
- url ends with “69′”
- commands must be in the form of /command/parameter
The attacker hides the commands by using only the first character to switch between predefined commands. Therefore he can use different words to represent same command so long as the first character matches in the switch.
5. What type of encoding is used for command arguments? How is it different
from Base64, and what advantages or disadvantages does it offer?
The malware divides the parameters by 2 characters. Each 2 characters are passed to atoi function to convert it to integer. It then references the following string to get the exact character it represents.
It is a custom encoding technique thus not easily detected by existing tools
It is pretty simple to reverse.
6. What commands are available to this malware?
|d||Download & Execute|
7. What is the purpose of this malware?
The malware serves as a backdoor by downloading and execute new codes on the victim’s machine via http request. It can also rewrite the config file “autobat.exe” to let it connect to a different C2 Server.
8. This chapter introduced the idea of targeting different areas of code
with independent signatures (where possible) in order to add resiliency
to network indicators. What are some distinct areas of code or configuration
data that can be targeted by network signatures?
- Any new url found in “c:\\autobat.exe”
- Headers such as UA-CPU and User Agent (duplicated User-Agent)
- http response contains <noscript>[url][69′]
9. What set of signatures should be used for this malware?
refer to question 8.